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. Introductions and apologies 


1.1. Apologies had been received from Ailsa Beaton and from 
James Edmands who would dial in for his item. Paul Arnold 
was welcomed for discussion on Project Eagle, agenda item 
12, and as an observer. 


. Declaration of interests 
2.1. There were no declarations of interest. 


. Minutes and action points from the Audit Committee meeting of 
the 7 March 2016 


3.1. All of the action points had been cleared. 
. Commissioner’s update 
4.1. Christopher Graham provided an update on matters 


affecting the ICO. He noted that this would be his last Audit 
Committee as his tenure ended on 28 June. Simon Entwisle, 
as deputy Commissioner, will take over the duties of the 
Commissioner pending the arrival of Elizabeth Denham who 
would take up the position of Commissioner on or about the 
18 July. 


4.2. Christopher Graham raised the issue of the 
Government’s decision that annual reports and accounts 
should not be laid prior to the EU referendum, and the 
consequent decision of the NAO not to certify annual reports 
and accounts until 27 June. The ICO had intended to lay on 
that day, allowing the current Commissioner to answer 
questions from external stakeholders and staff on the 
performance of the ICO over the last year at events planned 
for the 28 June. Certification on the 27" and laying on the 
28" was possible and James Edmands would be encouraged 
to meet this deadline as it was appropriate that, as a 
Corporation Sole, the accounts are laid before the 
Commissioner retires on 28 J une. 


4.3. As noted, as deputy Commissioner, Simon Entwisle will 
be acting as Commissioner for the interregnum. There was 
discussion as to how best to support Simon Entwisle during 
this period. 


4.4. Simon Entwisle mentioned his recent meeting with 
Elizabeth Denham. She is looking forward to joining the ICO. 
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4.5. Christopher Graham noted that the ICO was waiting for 
guidance from the Treasury as to whether or not it could 
introduce an additional allowance which would be payable to 
any member of staff required to take on significant additional 
responsibilities. The concern was that the introduction of the 
allowance might have to be taken into account in the 1% cap 
on pay awards. The Committee supported the 
Commissioner’s approach. 


4.6. The ICO was now focused on the EU data protection 
reforms and their introduction in May 2018. The reforms 
would have an impact on the size and make up of the ICO. 


4.7. Christopher Graham thanked the Audit Committee for 
its help and support over the last seven years. 


. Risk management 


5:1: Peter Bloomfield introduced the risk register. It had 
been revised since the last Management Board. No specific 
comments were raised. 


. Finance 


6.1. The end of year finance report was presented to the 
Committee. The report included a summary of the financial 
year, in-year adjustments to the accounts and descriptions of 
the issues that had arisen. It provided a link between the 
management accounts and the end of year statutory 
accounts. 


6.2. Sally Hanson was thanked for stepping into the role of 
Interim Head of Finance. 


. Outstanding audit recommendations 


7.1. Peter Bloomfield introduced the register of outstanding 
audit actions. The ICO was keeping on top of the actions but 
there were a number where dates had been revised. The 
Committee considered that, in the main, the originally agreed 
timescales for actions should be realistic and should be met. 


7.2. Whether or not the recommendation relating to a 
recruitment and selection strategy was cleared was 
questioned. It was noted as having been superseded by the 
ICO Change Programme; preparing the ICO for the EU data 
protection reforms. However the view of the Committee was 


that the need for a recruitment and selection strategy was 
more important now than it had ever been. 


Action point: Peter Bloomfield to amend the register to 
show that the action had not been cleared and to 
advise the Head of Organisational Development. 


8. Internal audit 


Project Eagle review 


8.1. Will Simpson introduced this report. Grant Thornton had 
gone out to external stakeholders and asked what they 
thought of the changes introduced under Project Eagle. There 
had been relatively consistent feedback received from 
stakeholders under each of the areas looked at and good 
practice recommendations had been provided. 


8.2. It was confirmed that dates had now been provided for 
the agreed actions. 


8.3. There had been a delay in bringing the report to the 
Committee partly due to the researchers having to go back 
out to stakeholders as the initial response rate had been low, 
and partly due to delays in clearing the report. 


8.4. One of the recommendations related to inconsistencies 
in deadlines given by the ICO for responses from data 
controllers. Simon Entwisle provided some background to 
why different deadlines might be given which did mean that 
consistency was difficult to achieve. 


Action point: Peter Bloomfield to update the Project 
Eagle report with the agreed timings and to liaise with 
Grant Thornton over finalising the report. 


Follow up-review 


8.5. Paul Eckersley reported back on the follow-up report. 
There were no recommendations. 


Internal audit report 2015/16 


8.6. Paul Eckersley introduced the Grant Thornton Annual 
Report for 2015/16. It included a review of the year and their 
audit opinion; that in the areas of risk management, 
corporate governance and internal controls the activities and 
controls are suitably designed to achieve the objectives 
required by management and were operating with sufficient 
effectiveness to provide reasonable, but not absolute, 
assurance that the objectives were achieved during the year. 


Internal audit plan 2016/17 


8.7. Paul Eckersley also introduced the internal audit plan for 
this year (2016/17). It included a look ahead to areas for 
possible audit during 2017/18 and 2018/19. There were 
questions over the timing of some of the proposed audits, 
depending as they would on the views of the new 
Commissioner. The Committee considered that it was 
important for the new Commissioner to meet with the 
internal auditors early in her tenure. 


Action point: Peter Bloomfield to liaise with the 
Commissioner’s support to arranging an early meeting 
between the internal auditors and the new 
Commissioner. 


8.8. Simon reported back that the ICO was working actively 
with DCMS on fee forecasting. 


8.9. Paul Arnold advised that work around preparing for 
Share Point implementation had now been done, although 
there needed to be consideration of how best to follow up 
MERIDIO replacement. And current IT audits needed to be 
focused on day to day controls and processes. They were 
currently framed in quite broad terms. 


Action point: Paul Arnold and Paul Eckersley to liaise 
over the proposed IT audits. 


8.10. Louise Byers advised that the ICO was looking at 
auditing its own data protection compliance. 


8.11. The Committee adopted the audit plan as drafted. 


. External audit 
Final audit completion report 2015/16 


9.1. James Edmands was welcome to the meeting by 
telephone. 


9.2. David Eagles introduced the Audit Completion Report 
2015/16, thanking Sally Hanson, the Finance Team. Louise 
Byers and Peter Bloomfield for their assistance. 


9.3. The report concluded that the auditors anticipated 
recommending to the Comptroller and Auditor General that 
he should certify the 2015-16 financial statements with an 
unqualified audit opinion. 


9.4. Areas highlighted in the report included the review of 
significant financial statement risks (the management 
override of controls), personnel and system changes in the 


Finance Team, organisational and governance changes 
affecting the wider ICO (eg changes in sponsoring 
department), and dilapidation provisions in respect of the 
lease. 


9.5. Louise Byers updated the Committee on 
accommodation. It had been agreed with the Department for 
Culture, Media and Sport that the ICO could retain the 
ground floor of the annex to Wycliffe House. The ICO was in 
the process of negotiation the lease renewal with the 
landlord. 


9.6. In respect of the Annual Report and Accounts David 
Eagles identified that BDO had a few minor comments on the 
document and they were currently discussing these with Sally 
Hanson. BDO expect to clear these outstanding matters 
shortly. 


9.7. BDO had identified issues arising out of the end of year 
processes relating to the new ICO finance system. Sally 
Hanson described staffing changes and systems 
administration access. She also explained that the Finance 
Team was small and segregation of duties was therefore 
difficult to achieve. She was planning a project to look at 
delegated rights, purchase management access and control, 
and procedures and documentation. The project would be 
completed by the end of the calendar year. The project would 
also include wider staff training on use of the finance system 
which would go some way to help improve the financial 
management and control environment. 


9.8. The Committee supported the project and agreed the 
deadline. 
9.9. lan Watmore thanked Sally Hanson, Louise Byers and 


the audit team for a smooth end of year audit process. 


9.10. There followed discussion of timing for certification and 
laying of the Annual report and Accounts. James Edmands 
confirmed that no accounts would be laid before the 
referendum. This meant that the C&AG would certify 
accounts from 27 June onwards. James Edmands was 
encouraged to ensure that the ICO Annual Report and 
Accounts are certified on 27 June so that they can be laid on 
the 28 June. This was crucial as the Commissioner’s tenure 
finishes on 28 June and it is important that, as Corporation 
Sole, the accounts are laid before the Commissioner’s 
retirement. 


9.11. The Committee asked whether certification could be the 
week earlier with laying on the 27 June. James Edmands 


would consider this. But 100s of organisations would be 
trying to lay at the same time. 


Action point: James Edmands to report back to the ICO 
on the various issues affecting the certification and 
laying of the I CO annual report and accounts as soon 
as decisions had been made. 


9.12. The Audit Committee agreed and recommended that the 
Commissioner sign the letter of representation. 


10. ICO Audit Committee annual report 2015/ 16 


10.1. Peter Bloomfield presented the ICO Audit Committee 
Annual report. This had been broadly agreed at an earlier 
meeting and had been updated to reflect the numbers of 
audit recommendations, and the internal and external audit 
opinions given. Following earlier discussion at this meeting 
there was a need to make minor amendments relating to the 
clearance of internal audit recommendations. 


10.2. The Committee agreed to adding concerns about the 
number of recommendations cleared, but only after dates 
had been revised. There was also a change needed under 
“Audit Committee Opinion”. 


Action: Peter to amend the I CO Audit Committee 
Annual Report 2015-2016, to clear it in 
correspondence with the Committee, and to publish it 
on the I CO website. 


11. ICO Annual report and Accounts 20 15/ 16 


11.1. Peter Bloomfield presented the ICO Annual Report and 
Accounts 2015-16. The draft would go to the designers 
shortly; as soon as the minor amendments identified had 
been made and the “Certificate and Report of the Comptroller 
and Auditor General” had been incorporated. 


12. Report on fraud, whistleblowing and security matters 


12.1. Peter Bloomfield introduced the report on fraud, 
whistleblowing and security matters. There had been a 
number of minor security incidents reported to the steering 
group. 


12.2. Paul Arnold provided a summary of an investigation into 
a recent security incident involving the management of the 
ICO's cryptographic materials. The incident had been 


13. 


contained, investigated and ultimately classified as low risk. 
The Committee was disturbed by the incident but was 
satisfied that it had been dealt with appropriately. The 
Committee also agreed the proposal for an increased role for 
internal audit when reviewing controls in this area. 


Any other urgent business 


1. On behalf of the Committee and attendees lan Watmore 
wished Christopher Graham well for the future and thanked 
him for the corporate governance framework he has been so 
diligent in maintaining. 


